ssinseeme Posted March 3, 2021 Share Posted March 3, 2021 Hi there, someone else posted this a year ago, but the string didn't have a clear answer. what should I do with this warning?I On Mar 2 there were 301 invalid login attempts. This could either be yourself attempting to login to your server (SSH / Telnet) with the wrong user or password, or you could be actively be the victim of hack attacks. A common cause of this would be placing your server within your router's DMZ, or improperly forwarding ports. This is a major issue and needs to be addressed IMMEDIATELY NOTE: Because this check is done against the logged entries in the syslog, the only way to clear it is to either increase the number of allowed invalid logins per day (if determined that it is not a hack attempt) or to reset your server. It is not recommended under any circumstance to ignore this error Quote Link to comment
Hoopster Posted March 3, 2021 Share Posted March 3, 2021 1 minute ago, ssinseeme said: what should I do with this warning? Post your diagnostics so someone can see where the invalid logins originate. Quote Link to comment
ssinseeme Posted March 3, 2021 Author Share Posted March 3, 2021 who the F** is this guy?? i see in the Syslog multiple failed attempt. please see below attachment. what should i do?? error: Could not get shadow information for NOUSER Mar 2 13:00:53 Tower sshd[22552]: Failed none for invalid user admin from 10.0.1.137 port 51262 ssh2 Mar 2 13:00:53 Tower sshd[22552]: Failed password for invalid user admin from 10.0.1.137 port 51262 ssh2 Mar 2 13:00:53 Tower sshd[22552]: Connection closed by invalid user admin 10.0.1.137 port 51262 [preauth] Mar 2 13:00:57 Tower sshd[22566]: Invalid user admin from 10.0.1.137 port 51887..... syslog.txt Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 Normally 10.* IP addresses are LAN. Something else on your network compromised? Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 28 minutes ago, Hoopster said: Post your diagnostics You only posted syslog. Tools - Diagnostics. Quote Link to comment
ssinseeme Posted March 3, 2021 Author Share Posted March 3, 2021 10.0.1.137 is one of my desktop that I haven't use for a long time. somehow we lost power and that desktop turns on automatically i wonder if it was a virus? Quote Link to comment
ssinseeme Posted March 3, 2021 Author Share Posted March 3, 2021 can you guide me what else do you check other then syslog? to find out tower-diagnostics-20210302-2109.zip Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 Other things in Diagnostics can make it a lot easier to work with syslog. Sometimes I never even look at syslog, other times I only look at syslog after looking at other things in Diagnostics. One thing in diagnostics that would be easy to find in this case was the IP address of your server (in system/ifconfig.txt) to check if it was the same subnet as the attacker. Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 I encourage you to examine your Diagnostics. It is all text. Quote Link to comment
ssinseeme Posted March 3, 2021 Author Share Posted March 3, 2021 Yes. But what should I do to prevent this attack from happening internally to my unraid. Like I said the IP I see in Sys was my old PC. should I ignor the warning ⚠️ now in unraid Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 17 minutes ago, ssinseeme said: 10.0.1.137 is one of my desktop that I haven't use for a long time. Why is it on your network if you don't use it? Quote Link to comment
ssinseeme Posted March 3, 2021 Author Share Posted March 3, 2021 It Was just seating in the basement doing nothing until todays power outage. What’s is all these ports with IP, I don’t have none of them open!! And how could my PC try to log in to my unraid server?? I don’t get it. It’s disconnected now. Did you see anything else on the system file? Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 Since the "attacker" is on your LAN you are not protected from it by the firewall of your router. Possibly that PC is infected, or maybe it is allowing access from outside your LAN. Reboot your server to get your logs cleared, wait a while, then post new diagnostics. Quote Link to comment
SimonF Posted March 3, 2021 Share Posted March 3, 2021 Have you ever installed a vulnerability scanner on that PC as another possible option, like nessus or something similar. Quote Link to comment
ssinseeme Posted March 3, 2021 Author Share Posted March 3, 2021 2 hours ago, trurl said: Since the "attacker" is on your LAN you are not protected from it by the firewall of your router. Possibly that PC is infected, or maybe it is allowing access from outside your LAN. Reboot your server to get your logs cleared, wait a while, then post new diagnostics. I want to make sure by PC you means the old PC not the Unraid server right. i don’t know what you mean with “allowing access from outside LAN” i use LAN to access the internet. In case I use this old PC how do I prevent it from accessing my network mean my server and other computers. I want to use is only to access the internet. i will reboot the server and post the diagnostic. should I ignore that warning or just reboot. Quote Link to comment
trurl Posted March 3, 2021 Share Posted March 3, 2021 12 minutes ago, ssinseeme said: by PC you means the old PC not the Unraid server right. right 13 minutes ago, ssinseeme said: i don’t know what you mean with “allowing access from outside LAN” Perhaps someone (or a bot) was using that old PC to gain access to your local network from outside. If you really want to use that old PC you should make sure it is clean before attaching it to your LAN. Quote Link to comment
S80_UK Posted March 3, 2021 Share Posted March 3, 2021 1 hour ago, ssinseeme said: i don’t know what you mean with “allowing access from outside LAN” This is probably unlikely, but did you ever enable Remote Desktop Connection or anything similar on that machine? That might include other remote control tools such as TeamViewer. They have legitimate uses, but only if you're in control of their use. You mentioned a power failure. Did that PC start up by itself afterwards? Another safe guard would be to check that PC's power settings in the BIOS. Unless you need it to power up automatically (if the PC was unused then it probably isn't) then I would set it to not power up when the AC power is applied. The behaviour on restoration of AC power is generally configured in e PC's BIOS settings. Normally you would have most machines set to stay powered off at that time, although a reasonable exception would be on machines such as your Unraid server that you might want to restart without supervision. Quote Link to comment
Energen Posted March 3, 2021 Share Posted March 3, 2021 I got "hack attempts" from my desktop pc because of a network lan scanner so it really depends on what's connecting or why. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.